Introduction

Over the past few months, F5 Labs has presented a series of articles on fake account creation. We’ve covered why fraudsters create fake accounts and how automation is used to create fake accounts at scale. These articles have described how these fake accounts can negatively impact businesses, but also how security professionals identify fake accounts and leverage security controls to stop bots running fake accounts.

In this deep dive we worked with engineers from F5’s Bot Defense© service to examine how fraudsters attempted to leverage fake accounts and automation during a promotional contest created by a major restaurant chain.

A popular quick-serve restaurant chain offered a promotional contest in which loyalty rewards members could win prizes that included free food and drink items, restaurant gift cards and higher value grand prizes.

The contest was announced via press release on the day the promotion started. To participate, customers needed to be enrolled in the brand’s loyalty rewards program, and they needed to log into their loyalty rewards account to access their daily and weekly contest entries. Within minutes of the official announcement, traffic spiked on the company’s website, but not everyone flocking to the site had the intention to play by the rules. Specifically, some bad actors were hoping to maximize their chances of winning by creating multiple fake accounts. While others were interested in cracking the card numbers for the flood of gift cards that were being won daily by contest participants, this case study focuses on fake account creation associated with this event.

Requirements: One Valid(ish) Email

Each loyalty rewards account required a unique email address. However, like many retail websites, this restaurant did not require that a user validate their email address. This means that almost any combination of characters formatted as a valid email could be used to register an account.

Allowing users to register accounts using any email address without verifying its existence reduces friction in the ordering process, but without an email verification step, fraudsters creating accounts on these systems aren’t limited to email addresses they can readily access, which is a net benefit to fraudsters: it reduces friction within any fraud scheme that requires creating multiple system accounts.

On this retailer’s system, if an account was successfully created, users were immediately logged into their account and could begin accessing menu options such as entering the contest, placing food orders, or updating their account details and payment methods. Once logged in, the user remained logged in until they logged out, cleared their browser data, or reached a maximum session time limit (typically several weeks long).

Logins and Account Creation Spike

The contest began with a surprise press release and ad campaign that announced its start. There were no announcements about the promotion in the days leading up to the event kick-off. From a case study perspective, this was a lucky choice because we can see the immediate impacts of the contest announcement on website login traffic (see Figure 1) and can assume that any account creation activity that occurred in the days prior to the contest’s start were unrelated to the promotion. For this case study, the 14 days leading up to the announcement provided baseline traffic for this restaurant. The promotion provided new chances to win each week, which correlated to higher daily login peaks as those new opportunities rolled out to users.

F5 protected key endpoints for this customer, but not every URL. F5 did not have any visibility into the promotional contest’s web endpoints but did have visibility into account creation and login transactions. The average daily volume of login transactions in the 2 weeks leading up to the promotion was 149,000, and that surged more than 5x to 851,000 during the contest period. At the conclusion of the contest, daily logins returned to baseline levels.